OSS uses JSON-based authorization policies to enforce fine-grained access control on resources. This topic provides a quick reference to the syntax and elements of these policies for configuring complex permissions.
Authorization syntax
OSS authorization policies are written in JSON and contain two core fields: Version and Statement.
Syntax
{
"Version": "1",
"Statement": [
{
"Effect": "Allow|Deny",
"Action": ["oss:ActionName"],
"Principal": ["UID|*"],
"Resource": ["acs:oss:*:*:bucket-name/*"],
"Condition": {
"ConditionOperator": {
"ConditionKey": ["Value"]
}
}
}
]
}Fields
Field | Description | Required |
Version | Specifies the policy version. The value must be | Yes |
Statement | Specifies the core element of the policy. It contains one or more rules for allowing or denying access. | Yes |
Statement elements
Element | Description | Required |
Effect | Specifies whether the statement allows or explicitly denies access. Valid values are | Yes |
Action | Specifies the actions that are allowed or denied. This element supports the | Yes |
Principal | Specifies the principal (for example, a user, account, or role) that is granted or denied access. Setting this element to an empty array | Required for Bucket Policy |
Resource | Specifies the resources to which the policy applies. This element supports the | Yes |
Condition | Specifies conditions for when a policy is in effect. If a statement includes multiple conditions, they are evaluated with a logical AND—all must be met for the statement to apply. | No |
Actions
Actions are categorized into three scopes: service-level, bucket-level, and object-level.
Service level
API | Action | Description |
oss:ListBuckets | Lists all of the requester's buckets. | |
oss:ListUserDataRedundancyTransition | Lists all of the requester's storage redundancy transition tasks. | |
None | oss:ActivateProduct | Activates OSS and Content Moderation. |
None | oss:CreateOrder | Creates orders for OSS resource plans. |
oss:PutPublicAccessBlock | Enables block public access for OSS at the account level. | |
oss:GetPublicAccessBlock | Retrieves the block public access configuration for OSS at the account level. | |
oss:DeletePublicAccessBlock | Deletes the block public access configuration for OSS at the account level. |
Bucket level
API | Action | Description |
oss:PutBucket | Creates a bucket. | |
oss:ListObjects | Lists information about all objects in a bucket. | |
oss:GetBucketInfo | Retrieves information about a bucket. | |
oss:GetBucketLocation | Retrieves the region of a bucket. | |
oss:GetBucketStat | Retrieves the storage capacity and the number of objects in a bucket. | |
oss:PutBucketVersioning | Sets the versioning state for a bucket. | |
oss:GetBucketVersioning | Retrieves the versioning state of a bucket. | |
oss:ListObjectVersions | Lists the versions of all objects in a bucket, including delete markers. | |
oss:PutBucketAcl | Sets or modifies the ACL (Access Control List) for a bucket. | |
oss:GetBucketAcl | Retrieves the ACL (Access Control List) of a bucket. | |
oss:DeleteBucket | Deletes a bucket. | |
oss:InitiateBucketWorm | Creates a compliance retention policy. | |
oss:AbortBucketWorm | Deletes an unlocked compliance retention policy. | |
oss:CompleteBucketWorm | Locks a compliance retention policy. | |
oss:ExtendBucketWorm | Extends the retention period for objects in a bucket that has a locked compliance retention policy. | |
oss:GetBucketWorm | Retrieves information about a compliance retention policy. | |
oss:PutBucketLogging | Enables access logging for a bucket. | |
oss:PutObject | Required to write access logs to a target bucket. | |
oss:GetBucketLogging | Retrieves the access logging configuration of a bucket. | |
oss:DeleteBucketLogging | Disables access logging for a bucket. | |
oss:PutBucketWebsite | Enables static website hosting for a bucket and configures its routing rules (RoutingRule). | |
oss:GetBucketWebsite | Retrieves the static website hosting status and routing rules of a bucket. | |
oss:DeleteBucketWebsite | Disables static website hosting and deletes the routing rules for a bucket. | |
oss:PutBucketReferer | Configures hotlink protection for a bucket. | |
oss:GetBucketReferer | Retrieves the hotlink protection (Referer) configuration of a bucket. | |
oss:PutBucketLifecycle | Sets the lifecycle rules for a bucket. | |
oss:GetBucketLifecycle | Retrieves the lifecycle rules of a bucket. | |
oss:DeleteBucketLifecycle | Deletes the lifecycle rules of a bucket. | |
oss:PutBucketTransferAcceleration | Configures transfer acceleration for a bucket. | |
oss:GetBucketTransferAcceleration | Retrieves the transfer acceleration configuration of a bucket. | |
oss:ListMultipartUploads | Lists all in-progress multipart uploads that have been initiated but not yet completed or aborted. | |
oss:PutBucketCors | Sets the cross-origin resource sharing (CORS) rules for a bucket. | |
oss:GetBucketCors | Retrieves the current cross-origin resource sharing (CORS) rules for a bucket. | |
oss:DeleteBucketCors | Disables cross-origin resource sharing (CORS) for a bucket and clears all existing rules. | |
oss:PutBucketPolicy | Sets the bucket policy for a bucket. | |
oss:GetBucketPolicy | Retrieves the bucket policy of a bucket. | |
oss:DeleteBucketPolicy | Deletes the bucket policy of a bucket. | |
oss:PutBucketTagging | Adds or modifies tags for a bucket. | |
oss:GetBucketTagging | Retrieves the tags of a bucket. | |
oss:DeleteBucketTagging | Deletes the tags of a bucket. | |
oss:PutBucketEncryption | Configures the server-side encryption rules for a bucket. | |
oss:GetBucketEncryption | Retrieves the server-side encryption rules of a bucket. | |
oss:DeleteBucketEncryption | Deletes the server-side encryption rules of a bucket. | |
oss:PutBucketRequestPayment | Configures the Requester Pays setting for a bucket. | |
oss:GetBucketRequestPayment | Retrieves the Requester Pays configuration of a bucket. | |
oss:PutBucketReplication | Sets the data replication rules for a bucket. | |
oss:ReplicateGet | Configures cross-account data replication or specifies a RAM role for replication. | |
oss:PutBucketRTC | Enables or disables Replication Time Control (RTC) for an existing cross-region replication rule. | |
oss:GetBucketReplication | Retrieves the data replication rules configured for a bucket. | |
oss:DeleteBucketReplication | Stops data replication and deletes the replication configuration for a bucket. | |
oss:GetBucketReplicationLocation | Retrieves the regions that can be used for destination buckets in a replication rule. | |
oss:GetBucketReplicationProgress | Retrieves the data replication progress for a bucket. | |
oss:PutBucketInventory | Configures inventory rules for a bucket. | |
oss:GetBucketInventory | Retrieves a specified inventory task in a bucket. | |
oss:GetBucketInventory | Lists all inventory tasks in a bucket. | |
oss:DeleteBucketInventory | Deletes a specified inventory task from a bucket. | |
oss:PutBucketAccessMonitor | Configures the access tracking status for a bucket. | |
oss:GetBucketAccessMonitor | Retrieves the access tracking status of a bucket. | |
oss:OpenMetaQuery | Enables the metadata management feature for a bucket. | |
oss:GetMetaQueryStatus | Retrieves information about the metadata index of a bucket. | |
oss:DoMetaQuery | Queries for objects that meet specified conditions, and lists object information sorted by specified fields and order. | |
oss:CloseMetaQuery | Disables the metadata management feature for a bucket. | |
oss:InitUserAntiDDosInfo | Creates an Anti-DDoS for OSS instance. | |
oss:UpdateUserAntiDDosInfo | Changes the status of an Anti-DDoS for OSS instance. | |
oss:GetUserAntiDDosInfo | Retrieves information about the Anti-DDoS for OSS instances under a specified account. | |
oss:InitBucketAntiDDosInfo | Initializes Anti-DDoS protection for a bucket. | |
oss:UpdateBucketAntiDDosInfo | Updates the Anti-DDoS protection status for a bucket. | |
oss:ListBucketAntiDDosInfo | Lists the Anti-DDoS protection information for buckets. | |
oss:PutBucketResourceGroup | Sets the resource group to which a bucket belongs. | |
oss:GetBucketResourceGroup | Retrieves the ID of the resource group to which a bucket belongs. | |
oss:CreateCnameToken | Creates a CNAME token required for domain name ownership verification. | |
oss:GetCnameToken | Retrieves a created CNAME token. | |
oss:PutCname | Binds a custom domain name to a bucket. | |
yundun-cert:DescribeSSLCertificatePrivateKey yundun-cert:DescribeSSLCertificatePublicKeyDetail yundun-cert:CreateSSLCertificate | Required to bind a certificate when you bind a custom domain name to a bucket. | |
oss:ListCname | Lists all custom domain names (CNAMEs) bound to a bucket. | |
oss:DeleteCname | Unbinds a custom domain name (CNAME) from a bucket. | |
oss:PutStyle | Sets an image style. | |
oss:GetStyle | Retrieves an image style. | |
oss:ListStyle | Lists image styles. | |
oss:DeleteStyle | Deletes an image style. | |
oss:PutBucketArchiveDirectRead | Enables or disables direct read for Archive objects in a bucket. | |
oss:GetBucketArchiveDirectRead | Checks whether direct read for Archive objects is enabled for a bucket. | |
oss:CreateAccessPoint | Creates an access point. | |
oss:GetAccessPoint | Retrieves information about a single access point. | |
oss:DeleteAccessPoint | Deletes an access point. | |
oss:ListAccessPoints | Lists user-level and bucket-level access points. | |
oss:PutAccessPointPolicy | Configures a policy for an access point. | |
oss:GetAccessPointPolicy | Retrieves the policy of an access point. | |
oss:DeleteAccessPointPolicy | Deletes the policy of an access point. | |
oss:PutBucketHttpsConfig | Enables or disables TLS version settings for a bucket. | |
oss:GetBucketHttpsConfig | Retrieves the TLS version settings for a bucket. | |
None | oss:ReplicateList | Grants permission to list historical data in a source bucket for replication. This permission allows Object Storage Service (OSS) to list and replicate historical objects individually. |
oss:CreateAccessPointForObjectProcess | Creates an Object FC access point. | |
oss:GetAccessPointForObjectProcess | Retrieves basic information about an Object FC access point. | |
oss:DeleteAccessPointForObjectProcess | Deletes an Object FC access point. | |
oss:ListAccessPointsForObjectProcess | Lists user-level Object FC access points. | |
oss:PutAccessPointConfigForObjectProcess | Modifies the configuration of an Object FC access point. | |
oss:GetAccessPointConfigForObjectProcess | Retrieves the configuration information of an Object FC access point. | |
oss:PutAccessPointPolicyForObjectProcess | Configures a permission policy for an Object FC access point. | |
oss:GetAccessPointPolicyForObjectProcess | Retrieves the permission policy configuration of an Object FC access point. | |
oss:DeleteAccessPointPolicyForObjectProcess | Deletes the permission policy of an Object FC access point. | |
oss:WriteGetObjectResponse | Lets you customize the data and headers returned by a GetObject request. | |
oss:CreateBucketDataRedundancyTransition | Creates a storage redundancy transition task. | |
oss:GetBucketDataRedundancyTransition | Retrieves a specific storage redundancy transition task. | |
oss:DeleteBucketDataRedundancyTransition | Deletes a storage redundancy transition task. | |
oss:ListBucketDataRedundancyTransition | Lists all storage redundancy transition tasks in a bucket. | |
oss:PutBucketPublicAccessBlock | Enables block public access for a bucket. | |
oss:GetBucketPublicAccessBlock | Retrieves the block public access configuration of a bucket. | |
oss:DeleteBucketPublicAccessBlock | Deletes the block public access configuration of a bucket. | |
oss:PutAccessPointPublicAccessBlock | Enables block public access for an access point. | |
oss:GetAccessPointPublicAccessBlock | Retrieves the block public access configuration of an access point. | |
oss:DeleteAccessPointPublicAccessBlock | Deletes the block public access configuration of an access point. | |
oss:GetBucketPolicyStatus | Checks whether the current bucket policy allows public access. | |
PutBucketOverwriteConfig | oss:PutBucketOverwriteConfig | Configures overwrite protection for a bucket. |
GetBucketOverwriteConfig | oss:GetBucketOverwriteConfig | Retrieves the overwrite protection configuration of a bucket. |
oss:DeleteBucketOverwriteConfig | Deletes the overwrite protection configuration of a bucket. |
Object level
API | Action | Description |
oss:PutObject | Uploads an object. | |
oss:PutObjectTagging | Specifies object tags using | |
kms:GenerateDataKey kms:Decrypt | Uploads an object with KMS server-side encryption by specifying | |
oss:PutObject | Uploads an object to a specified bucket using an HTML form. | |
oss:PutObject | Uploads an object by appending data. | |
oss:PutObjectTagging | Specifies object tags using | |
oss:PutObject | Initiates a multipart upload task. | |
oss:PutObjectTagging | Specifies object tags using | |
kms:GenerateDataKey kms:Decrypt | Initiates a multipart upload for an object with KMS server-side encryption by specifying | |
oss:PutObject | Uploads a part based on the specified object name and upload ID. | |
oss:PutObject | Completes a multipart upload task after all parts are uploaded. | |
oss:PutObjectTagging | Completes a multipart upload task and specifies object tags after all parts have been uploaded. | |
oss:AbortMultipartUpload | Aborts a multipart upload task and deletes the corresponding parts. | |
oss:PutObject | Creates a symlink for a target object in OSS. | |
oss:PutObjectTagging | Creates a symlink with specified object tags for a target object in OSS. | |
oss:GetObject | Retrieves an object. | |
kms:Decrypt | Downloads a KMS-encrypted object. | |
oss:GetObjectVersion | Downloads a specific version of an object. | |
oss:GetObject | Retrieves the metadata of an object. | |
oss:GetObject | Retrieves object metadata, including its ETag, size, and last modified time. | |
oss:GetObject | Executes an SQL statement on a target object and returns the result. | |
oss:GetObject | Retrieves the symlink of a target object. | |
oss:DeleteObject | Deletes an object. | |
oss:DeleteObjectVersion | Deletes a specific version of an object. | |
oss:DeleteObject | Deletes multiple objects from the same bucket. | |
oss:GetObject oss:PutObject | Copies an object between buckets in the same region. | |
oss:GetObjectVersion | Copies a specific version of an object between buckets in the same region. | |
oss:GetObjectTagging oss:PutObjectTagging | Copies an object with specified tags between buckets in the same region. | |
kms:GenerateDataKey kms:Decrypt | Copies an object and encrypts the destination object by specifying | |
oss:GetObjectVersionTagging | Copies a specific version of an object with specified tags between buckets in the same region. | |
oss:GetObject oss:PutObject | Uploads a part by copying data from an existing object using an | |
oss:GetObjectVersion | Uploads a part by copying data from a specific version of an existing object using an | |
oss:ListParts | Lists all successfully uploaded parts for a specified upload ID. | |
oss:PutObjectAcl | Modifies the ACL of an object in a bucket. | |
oss:PutObjectVersionAcl | Modifies the ACL of a specific version of an object in a bucket. | |
oss:GetObjectAcl | Retrieves the ACL of an object in a bucket. | |
oss:GetObjectVersionAcl | Retrieves the ACL of a specific version of an object in a bucket. | |
oss:RestoreObject | Restores an object from the Archive Storage, Cold Archive Storage, or Deep Cold Archive Storage classes. | |
oss:RestoreObjectVersion | Restores a specific version of an object from the Archive Storage, Cold Archive Storage, or Deep Cold Archive Storage classes. | |
oss:PutObjectTagging | Sets or updates the tags for an object. | |
oss:PutObjectVersionTagging | Sets or updates the tags for a specific version of an object. | |
oss:GetObjectTagging | Retrieves the tags of an object. | |
oss:GetObjectVersionTagging | Retrieves the tags of a specific version of an object. | |
oss:DeleteObjectTagging | Deletes the tags of a specified object. | |
oss:DeleteObjectVersionTagging | Deletes the tags of a specific version of an object. | |
oss:PutLiveChannel | Creates a LiveChannel to upload audio and video data over RTMP. | |
oss:ListLiveChannel | Lists specified LiveChannels. | |
oss:DeleteLiveChannel | Deletes a specified LiveChannel. | |
oss:PutLiveChannelStatus | Switches the status of a LiveChannel between enabled and disabled. | |
oss:GetLiveChannel | Retrieves the configuration of a specified LiveChannel. | |
oss:GetLiveChannelStat | Retrieves the streaming status of a specified LiveChannel. | |
oss:GetLiveChannelHistory | Retrieves the streaming history of a specified LiveChannel. | |
oss:PostVodPlaylist | Generates a VOD playlist for a specified LiveChannel. | |
oss:GetVodPlaylist | Retrieves the playlist generated from a specified LiveChannel's stream within a given time frame. | |
N/A | oss:PublishRtmpStream | Pushes audio and video data streams over RTMP. |
N/A | oss:ProcessImm | Grants permission to process data in OSS using IMM. |
oss:GetObject | Grants permission to process data using IMM through a POST request. | |
oss:PutObject | Grants permission to perform a SaveAs data processing task using IMM. | |
oss:PostProcessTask | Saves a processed image to a specified bucket. | |
imm:CreateOfficeConversionTask | Grants permission to convert documents or create snapshots using IMM. | |
imm: GenerateWebofficeToken | Retrieves a Weboffice token. | |
imm:RefreshWebofficeToken | Refreshes a Weboffice token. | |
N/A | oss:ReplicateGet | Grants read permissions for data replication. This allows OSS to read data and metadata (including objects, parts, and multipart uploads) from the source and destination buckets. |
N/A | oss:ReplicatePut | Grants write permissions for data replication, allowing OSS to perform write operations on the destination bucket, such as writing objects, parts, and symlinks, and modifying metadata. |
N/A | oss:ReplicateDelete | Grants delete permissions for data replication, allowing OSS to perform delete operations on the destination bucket, such as Note This action is required for the RAM role only when the data replication mode is set to Add/Delete/Modify/Sync. |
Resource pool QoS
API | Action | Description |
oss:PutBucketQoSInfo | Sets flow control for a bucket in a resource pool. | |
oss:GetBucketQoSInfo | Retrieves the flow control configuration for a bucket in a resource pool. | |
oss:DeleteBucketQoSInfo | Deletes the flow control configuration for a bucket in a resource pool. | |
oss:PutBucketRequesterQoSInfo | Sets bucket-level flow control for a requester. | |
oss:GetBucketRequesterQoSInfo | Retrieves the bucket-level flow control configuration for a requester. | |
oss:ListBucketRequesterQoSInfos | Lists all bucket-level flow control configurations for all requesters. | |
oss:DeleteBucketRequesterQoSInfo | Deletes the bucket-level flow control configuration for a requester. | |
oss:ListResourcePools | Lists all resource pools in the current account. | |
oss:GetResourcePoolInfo | Retrieves the flow control configuration for a resource pool. | |
oss:ListResourcePoolBuckets | Lists the buckets in a specified resource pool. | |
oss:PutResourcePoolRequesterQoSInfo | Sets flow control for a requester in a resource pool. | |
oss:GetResourcePoolRequesterQoSInfo | Retrieves the flow control configuration for a requester in a resource pool. | |
oss:ListResourcePoolRequesterQoSInfos | Lists the flow control configurations for all requesters in a specified resource pool. | |
oss:DeleteResourcePoolRequesterQoSInfo | Deletes the flow control configuration for a requester in a resource pool. |
Vector bucket
API | Action | Description |
oss:PutVectorBucket | Creates a vector bucket. | |
oss:GetVectorBucket | Retrieves the details of a vector bucket. | |
oss:ListVectorBuckets | Lists all vector buckets owned by the requester. | |
oss:DeleteVectorBucket | Deletes a vector bucket. | |
oss:PutBucketLogging | Enables log shipping for a vector bucket. | |
oss:PutObject | Writes logs to the destination bucket if log shipping is enabled. | |
oss:GetBucketLogging | Retrieves the log shipping configuration of a vector bucket. | |
oss:DeleteBucketLogging | Disables log shipping for a vector bucket. | |
oss:PutBucketPolicy | Sets the bucket policy for a vector bucket. | |
oss:GetBucketPolicy | Retrieves the bucket policy for a vector bucket. | |
oss:DeleteBucketPolicy | Deletes the bucket policy for a vector bucket. | |
oss:PutVectorIndex | Creates a vector index. | |
oss:GetVectorIndex | Retrieves the details of a vector index. | |
oss:ListVectorIndexes | Lists all vector indexes in a vector bucket. | |
oss:DeleteVectorIndex | Deletes a vector index. | |
oss:PutVectors | Writes vector data to a vector index. | |
oss:GetVectors | Retrieves specified vector data. | |
oss:ListVectors | Lists all vector data in a vector index. | |
oss:QueryVectors | Performs a vector similarity search. | |
oss:DeleteVectors | Deletes specified vector data from a vector index. |
Resource
The resource element specifies which resources the policy applies to. It supports the asterisk (*) wildcard. A single bucket policy can include multiple resources.
Bucket
Category | Format | Example |
Bucket level |
|
|
Object level |
|
|
Resource pool level |
|
|
The {region} field currently supports only the asterisk (*) wildcard.
Vector bucket
Resource level | Format | Example |
All vector resources |
|
|
Vector bucket |
|
|
Vector index |
|
|
Condition
The Condition element specifies the constraints under which a policy takes effect. It consists of a condition operator, a condition key, and a condition value.
Condition operators
Type | Supported operators |
String |
|
Number |
|
Date and time |
|
Boolean | Bool |
IP address |
|
Condition keys
Condition key | Description |
acs:SourceIp | Specify a standard IP CIDR block. The asterisk ( Important
|
acs:SourceVpc | Specifies the VPC, which can be a specific VPC ID or Note When you use |
acs:UserAgent | Specifies the HTTP User-Agent header. Type: String. |
acs:CurrentTime | The time the request arrives at the OSS server. Format: ISO 8601. |
acs:SecureTransport | The protocol of the request. Valid values:
If |
oss:x-oss-acl | Restricts the type of bucket ACL. Valid values:
For more information, see bucket ACL. |
oss:x-oss-object-acl | Restricts the type of object ACL. Valid values:
For more information, see object ACL. |
oss:Prefix | Used in |
oss:Delimiter | Used in |
acs:AccessId | The AccessKey ID included in the request. |
oss:BucketTag | Specifies a bucket tag. A single BucketTag can be used as a Condition. When you configure multiple BucketTags, you must add |
acs:MFAPresent | Checks whether Multi-factor Authentication (MFA) is enabled. Valid values:
|
oss:ExistingObjectTag | Specifies an existing tag of the requested object. A single ObjectTag can be used as a Condition. When you use multiple ObjectTags, you must prefix each ObjectTag with This mainly applies to |
oss:RequestObjectTag | Specifies an object tag included in the request. A single ObjectTag can be used as a Condition. If you use multiple ObjectTags, you must add the This primarily applies to object write operations such as |